EclecticIQ
nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

Threat Actors Continually Expand and Evolve Tools, Techniques, and Associations with Other Groups

EclecticIQ Threat Research Team June 17, 2021

 

Week 24 EIQ_gen_intel_update_image

Summary of Findings 

    • A Chinese APT group is sending malicious documents to employees of a Southeast Asian government agency in an ongoing surveillance operation.
    • The operators of the Necro Python bot have added new functionality to its toolset, including remote command execution exploits.
    • TeamTnT has been evolving its cryptojacking operations to enumerate AWS cloud environments for lateral movement and post-exploitation activities.
    • Assertions by Prometheus, a new ransomware gang, that it is part of REVil may be an effort to exploit the other gang’s notoriety to persuade victims to pay.
    • As indicated by its name, the APT group BackdoorDiplomacy targets foreign affairs ministries by exploiting internet-exposed applications to gather information. 

Chinese Threat Group Targeting SE Asian Government with Unknown Backdoor

A Chinese threat group is leveraging a previously unknown backdoor in its ongoing surveillance operation against a Southeast Asian government entity. The operation has been ongoing for at least three years. The group targets government employees with malicious word documents leveraging the Equation editor exploit. The group uses the tool RoyalRoad to create the weaponized Rich Text Files. The weaponized word document downloads the loader, which installs the backdoor on the system.

Necro Python Bot Updated with New Functionality

An unidentified actor has updated the Necro Python bot with new functionality to expand the types of systems it can compromise. While the exact timing of the new update is unknown, the bot has been increasing its activity since January 2021. It is now able to leverage vulnerabilities in VMWare vSphere, SCO OpenServer, and Vesta Control Panel. New control and communication functionality was also added. The Necro Python bot targets small and home office routers.

TeamTnT Targets Cloud Platforms

The cybercriminal group TeamTnT continues to evolve its toolsets for its campaigns, which now include using compromised Amazon Web Services (AWS) credentials to enumerate AWS cloud environments. The toolsets are able to identify:

  • Identity and Access Management (IAM)
  • Elastic Compute Cloud (EC2)
  • Simple Storage Service (S3) buckets
  • CloudTrail configurations
  • CloudFormation operations

TeamTnT now also targets Google cloud applications for credential theft. The group has added the open-source container and cloud penetration tool Peirates for internal reconnaissance and lateral movement.

Prometheus Group Claims to Be Part of REvil

A new ransomware group named Prometheus, which uses malware and techniques similar to the Thanos group, claims to be part of REvil, a better-known ransomware gang. However, Unit42 researchers see no evidence to support this claim, which they speculate could be an attempt to leverage REvil’s reputation to persuade victims to pay up, or an attempt to divert attention away from Thanos. Prometheus leverages double-extortion tactics and maintains a leak site to pressure the victim into paying. Requested payments range from $6,000 to $100,000 in Monero, with the price doubling if the victim doesn’t pay within the established timeframe, usually a week. Prometheus actively targets multiple industries globally.

BackdoorDiplomacy Uses Turian Backdoor on Government Ministries

The APT group BackdoorDiplomacy has been targeting diplomatic organizations, and less frequently, telecommunications companies, in Africa and the Middle East with the Turian backdoor since 2017. Recent analysis highlighted BackdoorDiplomacy’s similarities with Asian threat groups. Turian’s network encryption protocol is similar to that of Whitebird, a backdoor operated by the Asia-based group Calypso. BackdoorDiplomacy uses tactics and techniques s similar to those of Asia-based threat group APT15. The group exploits vulnerable internet-exposed applications to drop and execute a webshell. They deploy open-source software for reconnaissance and information gathering. The backdoor can scan for removable media and copy its contents.

 

Receive all our latest updates

Subscribe to receive the latest EclecticIQ news, event invites, and Threat Intelligence blog posts.

3 more posts you might like

All Blog Posts (106)

Explore all topics

© 2014 – 2021 EclecticIQ B.V.
EclecticIQ. Intelligence, Hunting, Response.
Get demo